Skip to content
Latchkey

semantic-release "EGITHUBBADTOKENSCOPE" wrong token scope in CI

The @semantic-release/github plugin checked the scopes on your GitHub token and found they are insufficient to create releases and push. The token authenticates but is missing the repo/write scope required to operate.

What this error means

The run fails with "EGITHUBBADTOKENSCOPE The GitHub token configured in the GH_TOKEN or GITHUB_TOKEN environment variable doesn't allow to push".

semantic-release
[semantic-release] > EGITHUBBADTOKENSCOPE The GitHub token doesn't have the required permissions.
The GitHub token configured in the GH_TOKEN or GITHUB_TOKEN environment variable must have
the required permissions to push on the repository owner/repo.

Common causes

A fine-grained PAT missing the Contents permission

A fine-grained token was created without the Contents: read and write permission, so the scope check fails.

A classic PAT without the repo scope

A classic personal access token that only has read-only scopes cannot create releases or push.

How to fix it

Regenerate the PAT with the right scope

  1. For a classic PAT, enable the repo scope.
  2. For a fine-grained PAT, grant Contents write and Pull requests / Issues as needed.
  3. Update the secret and re-run the release.

Use a GitHub App installation token

A GitHub App token scoped to the repo with contents write avoids classic-PAT scope pitfalls.

.github/workflows/release.yml
- uses: actions/create-github-app-token@v1
  id: apptoken
  with:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

How to prevent it

  • Grant Contents write when creating fine-grained tokens for releases.
  • Prefer a GitHub App token for least-privilege, auto-rotating auth.
  • Document the exact scopes the release token needs.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →